The 2018 Deloitte-NASCIO Cybersecurity Study
States at risk: Bold plays for change

State CISOs have gained considerable influence since the role first appeared—but crucial funding and talent challenges remain. Three bold actions can help today’s state CISOs find the resources to safeguard their state’s IT infrastructures.

US state chief information security officers (CISOs) have an opportunity to pursue three “bold plays” that can help them address persistent budgetary and talent challenges to improving their state’s cybersecurity posture, according to a new survey by Deloitte & Touche LLP and the National Association of State Chief Information Officers (NASCIO).

Learn More

State CISOs have increased in visibility and influence since the role first appeared almost a decade ago, says the 2018 Deloitte-NASCIO Cybersecurity Study—States at risk: Bold plays for change. Yet many still struggle to secure funding for cybersecurity initiatives and find qualified talent. To help address these challenges, state CISOs can leverage their increased visibility and influence to:

Advocate for dedicated cyber program funding. CISOs can raise cybersecurity’s profile with the state legislature and executive branch by making it a line item in the IT budget. They can also seek funding from large federal agencies to implement their security requirements and controls.

Be an enabler of innovation, not a barrier. CISOs should actively participate in shaping their state’s innovation agenda, collaborate with state digital and innovation officers, and lead the charge to help program leaders embrace and securely adopt new technologies.

Team with the private sector and higher education. CISOs can leverage public-private partnerships and collaborations with local colleges and universities to provide a pipeline of new talent through internships, co-ops, and apprenticeship programs. They could also consider outsourcing some cybersecurity functions to external providers.

Despite funding and talent challenges, the state CISO role is rapidly maturing, and the CISOs themselves are taking on a greater scope of authority. All 50 states have established the CISO’s authority via the legislature, secretary, or CIO. In addition, most states now have documented and approved cybersecurity governance plans—40 states in 2018, compared to just 29 states in 2016. The vast majority of CISOs (90 percent, up from 76 percent in 2016) have extended their scope of authority beyond their own agency to align with all executive agencies in their state government.

Further evidencing their growing mastery of the role, many CISOs have expanded cybersecurity awareness training and security threat assessments. Most states—94 percent in 2018, up from 84 percent in 2016—deliver cybersecurity training to state employees and contractors at least annually. In addition, CISOs are conducting more regular assessments of top security threats. In particular, this year’s survey showed a dramatic rise since 2016 in monthly assessments for Web applications, the top threat experienced by CISOs this year.

States also show they are beginning to take steps to address privacy, an emerging issue related to cybersecurity. Notable in this year’s survey, more states than in previous surveys report having a chief privacy officer (CPO): In 2018, more than a quarter of states had one, compared to less than a fifth in 2016.

Perhaps most encouragingly, cybersecurity is being elevated to state leadership as a key issue on a regular basis. This year’s survey found that CISOs have increased their regular reporting to state leadership. A fifth of state respondents said that they report monthly to the governor, and a third report monthly to the state secretary or deputy secretary. Monthly reporting to business stakeholders has also increased—to 25 percent, up from 10 percent in 2016. And more states are engaging with both business line and technology decision-makers in making strategy decisions—88 percent in 2018, up from 75.5 percent in 2016.

Authors

Srini Subramanian is a principal in Deloitte & Touche LLP’s Cyber Risk Services practice and leads the State, Local, and Higher Ed sector for risk and financial advisory services in the Government & Public Services industry. He is based in Harrisburg, PA.Doug Robinson is executive director of the National Association of State Chief Information Officers (NASCIO). He is based in Lexington, KY.

Acknowledgments

We thank the NASCIO and Deloitte professionals who helped to develop the survey and execute, analyze, and create the report.

STATE CISO SURVEY REVIEW TEAM• Elayne Starkey, State of Delaware (retired)• Rajiv Das, State of Michigan• Stan Gatewood, State of Georgia• Mark Gower, State of Oklahoma• Michael Roling, State of Missouri• Nancy Rainosek, State of Texas